Posted
by
Unknown Lamer
on Monday August 05, 2013 @11:04PM
from the but-it-doesn't-taste-like-a-pineapple dept.

darthcamaro writes "At the recent DEF CON conference over the weekend, vendor were selling all kinds of gear. But one device stood out from all the others: the Wi-Fi Pineapple — an all in one Wi-Fi hacking device that costs only $80 (a lot cheaper than a PwnPlug) and powered by a very vibrant open source community of users. Pineapple creator Darren Kitchen said that 1.2 Pineapple's per minute were sold on the first day of DEF CON (and then sold out). The Pineapple run Linux, based on OpenWRT, is packed with open source tools including Karma, DNS Spoof, SSL Strip, URL Snarf, Ngrep, and more and is powered by g a 400MHz Atheros AR9331 MIPS processor, 32MB of main memory and a complete 802.11 b/g/n stack. Is this a tool that will be used for good — or for evil?"

I, for one, am imagining a world where a large number of mass-produced devices, sold to a large number of different parties, can be used for both good and evil at the same time. Blows my mind; but there it is.

The account is currently "farming" karma and mod points by asking questions and posting comments that can be moderated up by other managed accounts.

guilty guilty guilty. I'm posting a shill question asking if the device comes in a pineapple, so I can post a self serving response and mod it up for greater visibility. Brought to you by Dole Pineapples!

I, for one, am imagining a world where a large number of mass-produced devices, sold to a large number of different parties, can be used for both good and evil at the same time. Blows my mind; but there it is.

Too bad packing its functions up in an easy appliance means it now no longer has anything to do with "hacking" at all. You aren't a "hacker" if all you do is run some appliance.

Might as well call yourself a master baker for using a bread baking machine... or even a toaster. Well, no, no you aren't.

That the security industry claims otherwise means that they are deluding themselves... and us. We're not getting our money's worth in security out of their efforts. But we do get nice toaster equivalents, complete with instant "hacker" label. Nice, innit?

It kinda hurts to admit it, but yes, you're right. Most of the security industry is a bunch of charlatans who are unable to produce more than cheap tricks to impress those that know even less than they do.

Every time we're about to hire some security consultants (which we have to, regulations require us to have my security system tested by outsiders) I kinda think I know how Penn&Teller feel when they host "Fool us". Only that the amount of half-talented stage magicians who show off ancient tricks is way higher for me.

It really is the same in every professional career. You hear much the same about lawyers, doctors and mechanics - the good ones are hard to find. In IT security, it is comparatively easy, just check what they publish.

Contact me by mail (tom@lemuria.org) and tell me which country you're in. I am in Germany and I have a couple contacts to pretty good people in several european countries. And if they can't help, they can point you onwards.

where have you been for the last 10 years?
It's still a problem even if it's not in _your_ inbox anymore - and it's MUCH more complicated than you might think to keep it out without blocking wanted mail.

His security is so rock solid he isn't worried. Kind of like that lifelock guy and his SS #.

Back in the days when I was doing SELinux work, I did in fact go to conferences, plug down my notebook, get an IP address, pick up a piece of paper, write the IP and the root password on it in large letters and pin it to the wall above my place.

First, you are an idiot if you think that the common obfuscation stuff will stop harvest bots. Seriously, you are.Second, my mail address is all over the net already. It doesn't matter if I post it to one more board. I've had this address for 15 years, it is in publications I've published, websites I run, e-mails, forums, pretty much everywhere.Third, obfuscation is not security.;-)Fourth, I didn't advertise my own services, but offered to make contacts, so even if in some strange paral

A good pen tester has to not only give you results to what he is doing, but also inform the company of how to fix what they are doing wrong. An example would be something as simple as upping their password complexity. Use Enterprise WPA2 instead of Personal WPA. Lock off your ports or lock up your switches. Upping password complexity.
Opportunist is correct in that there are the security testers who just invade and churn out a report that says: blah.
These guys get paid, but aren't worth much. Many o

Not only do I agree with you, but I have an example. Many years ago, I worked at an ISP as a sys admin. It was very early in my career. I had no college experience, and I was starting to learn to program and administer servers.

We were hired by a credit union as security consultants. They needed an audit of their new online banking system. The first thing I did was run Retina against their public server and a few script kiddie tools I had. I found that they had no firewall, an open SQL Server with no sa

Instead of wireless enabled fruit, device is actually just some plastic and electronic bits.
I was under the impression this device would be concealed in a pineapple for stealth hacks. (Nobody suspects the fruit with an antenna)

what! I wanted a wireless enabled fruit! I mean Apple has never produced any wireless or wired apples. Just things with apples on them. A red, apple shaped router would have been awesome and a conversation piece. Just think no one would suppect hacking with a pineapple sitting beside your laptop. (they would just you are crazy in starbucks. Damn, there is the perfect wifi hacking toolcase. A starbucks mug!)

I was also disappointed by that, but then realized that it is small enough that, with a little creativity, you could put it _inside_ a pineapple.

Cooling might be a minor problem, and the smell of Hawaiian pizza may tip people off to the illicit contents of the fruit basket which was just delivered, but at least it wouldn't need a pineapple-shaped sticker to justify its name.

Funny... when I heard it was called a pineapple, I presumed it looked like this:http://en.wikipedia.org/wiki/File:MkII_07.JPG [wikipedia.org]Of course, that's not going to help for stealth; I think anyone seeing one of those lying around is probably going to notice, duck and run (and then call out the bomb squad).

Going a step further, if a Pineapple user is inside a coffee shop (or office location), the research can execute what is known as a "deauth" attack, essentially disconnecting the end user from legitimate access point, then reconnecting him or her to the Pineapple.

However, some security experts say that weaknesses in WiFi and user behavior need to be identified and weeded out in order to make organizations more secure. If the Pineapple is able to help security researchers do that, they say, than it will improve security for us all.

As a user, how the fuck can my behavior be modified to deal with a deauthorization attack?WiFi has become so stupid simple to use that it leaves us vulnerable, despite all the encryption in the world.

Use a VPN. Either a paid one or a home one will do. If your connection is encrypted to a known safe point (the VPN provider), then it doesn't matter that they can sniff your traffic. This is why I have my machine set up to disconect from wifi when it can't connect to my VPN.

Mind you, this isn't a solution to the problems of WiFi, but is a solution to that particular attack.

Old joke: You can tell by how the techs three-piece suit fits whether he's a hack: If he wears one, he is.

But seriously, it's by no means short of frightening how many quacks and hacks (and I don't mean that as a compliment...) litter the field. Which is quite logical if there is little if any reputable and generally accepted (especially amongst management) certification system. And don't come with things like CISA and the like, I am not looking for a security manager, I'm looking for someone who can actually test a security implementation, not design it.

Now add that the average manager knows little beyond how to plug some device relatively accident free into some hole on his computer and you can easily see how knowledge free idiots who can navigate the surfaces of some "hack tool" (I'll use the term loosely here) can convince said managers that they are "security experts". In the kingdom of the blind and so on...

The problem is the delusion that managers don't need to know anything about what they manage. It's created a class of basically worthless MBAs that nevertheless get paid more than the people who have a clue what's going on.

Applicant: Well, what do you do here, anyway?Boss (surprised): You don't know? You want to work here, right?A: A good manager can manage everything, no matter what.B: And a good manager also knows that he should do his homework before getting into a meeting. Thanks for your time, no need to call. NEXT.

I can see buying one for the convenience of having all the software pre-installed for you, but the specs for the hardware aren't any different than a dozen home WiFi routers, which can run OpenWRT and sell for $40 [amazon.com].

I'd think giving those aging home routers a second life as security tools would be better than everyone buying another new product for twice the price, and eventually throwing both away. I recently added a USB sound card on mine, for use as a streaming audio player.

I have met Darren. He is a pretty decent guy. The hardware isn't what people care about. Its the software package it comes with. You can basically mitm wifi cards. Its based off of Jasager so anyone can do it. He did a show about setting one up. Its just lazy people buying the whole kit and he probably sold out cause he was selling them at a discount.
This isn't news in any regards though. These have been around for years. Last time I saw one it was white. Hak5 finally getting a wikipedia page that would be news.

While you claim others "don't get the concept", you seem to have totally missed the cornerstone of how F/LOSS is monetized.

It makes perfect sense for someone knowledgeable and skilled to assemble exactly the right hardware components, and compile+install just the right F/LOSS software components, into an easy-to-use appliance, and sell these at whatever price point the market is willing to pay. People are not paying for the "licenses" they are paying for the labor that went into combining all the supplied pieces together - and perhaps also for getting future support and developmen. In other words people are paying for professional services in a nice and understandable package.

I have no idea why you feel the need to bash this concept with such contempt, but this approach is just about the most popular way to monetize F/LOSS on the planet. It is also shows the clear strengths of F/LOSS: that anyone can take the software, modify it, expand it, improve it, and share it with all other customers without negative impact to the original supplier.

If you want to take the software and install it on a PC, go right ahead. Feel free to install other drivers in the process. Make a laptop-version and share it as much as you like. Go right ahead. But while you may be perfectly willing to spend loads of time on this, others may not. Not all network experts want to mess with assembling their own hardware. Or spend endless nights compiling new versions of [insert-whatever-FLOSS-component-here] just to make a brief packet analysis in the field. It is not trivial to compile and combine all the right F/LOSS products included in the packaged mentioned here and some people are happy to pay someone else to get that job done.

The fact that people are willing to put money on the table for the service and labor this man has produced with F/LOSS software is by no means "retarded". It is a testament to the viability of F/LOSS economy, and clear proof that customer value can be added to F/LOSS without bogging customers down in complex licenses and EULAs.

Ah, damn, I noticed too late you posted as AC. Well, since you won't stand by your words, I guess producing a decent and intelligent answer was a waste of time...

Either you give out the source and thereby lose control over its distribution, or you can ask money.

RedHat and many others do both, and they're very much compatible with open source. Their software is all open source, but you have to pay to get their exact binaries. A great many people do pay.

Their rule-of-thumb is that open source software companies can sustain a price of about 1/10th what a proprietary software company could. So there's very much an opportunity for monetization of open source, just not

Redhat also monetizes by their use of the "Redhat" trademark. You cannot redistribute Redhat's binaries or source "as-is" because if you do so you are violating trademark law, and they can (and will) sue you. The CentOS project spends a lot of time stripping Redhat's trademarks from RHEL prior to redistributing it as CentOS.

I don't see how anything you said is relevant to anything being discussed. How does Redhat's trademark change the previous statement:

"Either you give out the source and thereby lose control over its distribution, or you can ask money."

It does not change it. But that doesn't really matter because the statement itself is flawed and untrue.

You are totally free to ask money for F/LOSS while giving away the source and that is exactly what many F/LOSS business do. Customers pay for the software and while they do have the right to rewrite and recompile it all for free they simply choose not to - because the value provided with the software is greater and the price is acceptable for them. Maintaining and compiling software (F/LOSS or not) is com

Sorry, no "rant" was intended and nothing was targeted at you specifically. I had my eyes on the ball, not the man;-) and I believe my reply simply explains why the statement is false (in a F/LOSS context).

The statement is that you cannot monetize open source, which is fundamentally incorrect. Redhat has managed to monetize it quite effectively even while giving away their source simply because redistributing Redhat's source "as-is" is trademark infringement and therefore actionable, and modifying it to comply with trademark law is enough trouble as to not be worth it. Thus, Redhat gives out the source, retains control of distribution, and asks for money. Something that the GGP claimed is impossible.

The statement is that you cannot monetize open source, which is fundamentally incorrect. [...] Something that the GGP claimed is impossible.

Then why are you ranting about trademark to me, instead of replying to the GGP? I'm the one who mentioned RedHat as a counter-example in the first place, I hardly need a bunch of people ranting at me about someone else's false claims.

You are mistaken. Ask Redhat. Ask SuSE. Ask Google also, who is absolutely a master of monetizing "infinitely abundant information" and presenting in a way that can be monetized through their specific business model.

You may personally reject it all you want, but reality begs to differ. And while you can off course reject reality itself I really see nothing productive coming from that.

Only the organized crime (like the post-Bill-Gates software sector) that made up the lie about imaginary property to be able to create artificial scarcity and/steal money/ from people, acts like you can.

Most of us don't have a useful AP with USB just lying around, even if we are enthusiasts.

A decent number of people here specifically look for routers that can run some kind of Linux firmware before buying. There's really no reason NOT TO these days, since they're just as cheap as the worst junk hardware. And it's a great fail-safe even if you don't plan to use it, as you're in good shape even if the manufacturer's software is complete junk (like that D-Link).

A decent number of people here specifically look for routers that can run some kind of Linux firmware before buying. There's really no reason NOT TO these days, since they're just as cheap as the worst junk hardware.

Well, my reason not to has been that I didn't have a cellphone with data, and I buy most of my APs at yard sales. But now I do (albeit GPRS) so I can look up router compatibility...

The problem with buying random routers off eBay is you never know what you are going to get. Linksys are the worst, often having several very different hardware revisions under the same model number. As such you can't be sure if the one you buy will have the chipset you are expecting, and thus be able to run all the exploits you want and so forth.

For the sake of simplicity I don't think $40 for a guaranteed working and pre-installed solution is at all bad. If you waste an hour with your off-the-shelf router

I hope it can be used for evil, because "good" these days amounts to a circle jerk with NSA, DEA debauchery. Your privacy is yours to own, and if other people begin to realize how screwed they are maybe they will choose a better path.

Not lazy, just time poor. Some of us security professionals haven't got the time to play with distros, find the right drivers, mess around with package levels , find a proper sturdy case and all the rest. We just need a tool. Even the most expensive version of the Pineapple is less than half of what we charge per hour. I only spend time building my own hacking tools when I'm doing something out of the ordinary or if I have to make a hacking device look like it's not one. The things the Pineapple does is just pen-testing for dummies - but sadly, often that is enough to get through. I always start with the basics and move to more complicated attacks only if I have to. Same as any other genuine blackhat out there.

I don't know anything about this type of device, but looking in from the outside, the question springs to mind "How is this legal?"

It's for hacking into networks, right? Isn't that against the law, like, EVERYWHERE? It says "Stealth Access Point for Man-in-the-Middle attacks" - that sounds illegal. It also says "Easily concealed and battery powered " - nothing dodgy going on there!

How can this be used for good? Maybe a few people may use it to test the security of their network, but that's clearly not w

It's perfectly legal to use it with permission. Now we can debate just how likely it is that it's main market is for people who are only going to use it, with permission, to test security and demonstrate security risks, but it does have a legitimate legal use. Should we be able to ban products because a lot of their use will be to do something illegal? What threshold should we set? How do you observe and measure the proportions?

Ban it and someone will release a blank version with the ability to download

Wow. This was news when they were released back in 2008. It is interesting to see the devices becoming popular again.

Back in the day they were demoed by putting the little unit and batteries in a novelty plastic cup shaped like a pineapple. The lid had a hole for a straw that was just the right size for a wifi antenna.